On Mon, 18 Jan 1999, TGAPE! wrote:
> Ed Doolittle wrote:
>> If security is an issue you can arrange IP tunneling through the ISP to
>> a machine at work.
> Um, don't tell intel this. One of Randal Schwartz' three felony counts
> was arrainging IP tunneling through intel's firewall.
Jeez. I didn't know the details of that case. Sounds like some
thoughtlessness on both sides.
> This is *very* touchy legal ground. My employer recently went VPN, but
> you should not set something up yourself if they don't have something.
> You maybe can talk them into doing it, but do *NOT* set up your own
> personal tunnel, so long as you'd rather work than spend time in prison.
Well, "arranging", to me, includes obtaining permission, but thanks for
pointing this out.
> I could also mention that a VPN tunnel is not what I'd call simplicity.
Four (essentially just two) commands on one end, four on the other, taken
directly from the NET-3 HOWTO. Make sure your forwarding rules aren't
stopping traffic. Automating the whole process would take just a little
more work. Additional software would be required to get the security
benefit.
>> Better would be to run named on your local machine and arrange periodic
>> transfers of information from the nameserver at work. In either case
>> you will need to
> This is better if
> 1> You're good enough at reading, and you read all the right
> documentation so that you can make/keep your named stable.
named is one of the toughest to configure, I'll agree, even tougher in
this peculiar case, but I think it's worth it.
> 2> You can *get* transfers from the nameserver at work.
> I couldn't do the named method, because I can't get transfers from the
> nameserver at work. There were semi-valid security reasons given for
> this.
IP tunneling could help here too. :-)
>> echo 5 > /proc/sys/net/ipv4/ip_dynaddr
>>
>> if your IP address is dynamically assigned by your ISP or the ppp server
>> at work.
> This would be less ambiguous if you added the word 'either'.
Right. Why isn't this the default? Maybe diald should turn it on at
startup ...
> How about method 3, which will only work if your work is set up
> hierarchically:
> Set up your named to 'serve' the company's primary domain, and it
> specifies NS records for all of the subdomains you're likely to use.
> It'll also need to have all the top-level hosts, such as www.foo.com.
Hmm ... good ... what would happen if you set up an NS record for the
primary domain?
> As I'm thinking about it, this would almost work in my case. However,
> there are some subdomains I may have to use that I don't know about.
Worth some further consideration ... starting to get a little ugly,
though.
Here's the best answer to the original question: get your employer to act
as your ISP as a job benefit. :-)
Ed
--
Ed Doolittle <mailto:[EMAIL PROTECTED]>
"Everything we do, we do for a reason." -- Peter O'Chiese
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
